Phishing is a social engineering attack in which a threat actor sends fraudulent communications that appear to originate from a trusted source to steal credentials, financial data, or deliver malware. This guide covers the 6 primary phishing types, the technical mechanics of phishing links, how to verify a URL before clicking, and 4 technical email defenses.
What Is Phishing?
Phishing is a social engineering attack that exploits human trust rather than technical vulnerabilities. The attacker impersonates a legitimate entity—a bank, employer, government agency, or technology platform—to deceive the target into disclosing credentials, clicking a malicious link, or opening a malicious attachment.
Phishing accounts for 36% of all data breaches (Verizon Data Breach Investigations Report 2023). Symantec estimates 3.4 billion phishing emails are sent daily. The FBI’s Internet Crime Complaint Center (IC3) reported phishing as the top cybercrime category in 2022, with 300,497 reported incidents and losses exceeding $52 million.
The term “phishing” derives from the analogy of fishing—attackers cast fraudulent messages as bait, waiting for targets to “bite” by responding, clicking, or entering data.
What Are the 6 Types of Phishing?
Phishing attacks are categorized into 6 types based on delivery channel and targeting precision:
1. Email Phishing
Email phishing is the most common phishing type, using bulk emails that impersonate trusted brands sent to thousands of recipients simultaneously. The attacker spoofs the sender address (e.g., noreply@paypa1.com) and includes a malicious link or attachment. 3.4 billion phishing emails are sent daily (Symantec). Email phishing relies on volume—even a 0.1% click rate across millions of emails yields thousands of victims.
2. Spear Phishing
Spear phishing is a targeted phishing attack directed at a specific individual or organization, using personalized information to increase credibility. The attacker researches the target using LinkedIn, corporate websites, and social media to include the target’s name, job title, colleague names, and recent work context. Spear phishing emails have a 19x higher click rate than generic phishing (Proofpoint 2023).
3. Whaling
Whaling is spear phishing that targets executives (C-suite: CEO, CFO, COO) or other high-value individuals. Whaling attacks seek wire transfer authorization, tax data, intellectual property, or administrative credentials. The 2016 Mattel whaling attack resulted in a $3 million fraudulent wire transfer to a Chinese bank after an attacker impersonated the newly appointed CEO in an email to the CFO.
4. Smishing
Smishing (SMS phishing) delivers phishing attacks via text message. Messages impersonate delivery services (FedEx, UPS), banks, or government agencies with urgent notifications and shortened URLs masking malicious destinations. Smishing click rates are 8x higher than email phishing because users apply less scrutiny to SMS messages and mobile browsers obscure full URLs.
5. Vishing
Vishing (voice phishing) uses telephone calls to impersonate technical support, banks, government agencies (IRS, Social Security Administration), or employers. Attackers use caller ID spoofing to display legitimate phone numbers. The target is manipulated into disclosing credentials, card numbers, or one-time passwords (OTPs) verbally.
6. Pharming
Pharming redirects users from legitimate websites to fraudulent sites by poisoning DNS records or modifying the local hosts file. Unlike phishing, pharming requires no deceptive link—the user types the correct URL but is routed to a malicious server. A 2007 pharming attack on 50 financial institutions redirected users of legitimate banking URLs to fake sites that harvested credentials from over 1 million users.
Anatomy of a Phishing Email
A phishing email contains 5 common structural elements designed to bypass both technical filters and human scrutiny:
- Spoofed sender address: The display name shows “PayPal Security” but the actual address is
security@paypa1.comornoreply@paypal.com.maliciousdomain.com. Most email clients show display names by default, hiding the real address. - Urgency and threat language: Phrases such as “Your account will be suspended in 24 hours,” “Immediate action required,” or “Unauthorized access detected” trigger emotional responses that bypass rational scrutiny.
- Malicious link: The visible hyperlink text shows
www.paypal.combut the actual href points tohttp://paypa1.com/login. Hovering over the link in a desktop email client reveals the real destination URL. - Malicious attachment: Office documents with macros (.docm, .xlsm), PDFs with embedded JavaScript, or compressed archives (.zip, .rar) containing .exe files deliver malware upon opening.
- Fraudulent landing page: A pixel-perfect copy of a legitimate login page. Credentials entered are captured by the attacker’s server, and the victim may be redirected to the real site to avoid detection.
How Do Phishing Links Work?
Phishing links use 3 technical techniques to deceive victims into trusting malicious URLs:
Lookalike Domains
Lookalike domains substitute visually similar characters for legitimate ones: paypa1.com (numeral 1 replacing “l”), arnazon.com (letter “n” replacing “m”), g00gle.com (zeros replacing “o”). These domains are registered by attackers and resolve to attacker-controlled servers. At a glance, these URLs appear legitimate.
Homograph Attacks
Homograph attacks use Unicode characters from non-Latin alphabets that are visually identical to Latin characters. The Cyrillic “а” (U+0430) is visually indistinguishable from the Latin “a” (U+0061).
A domain using аpple.com (Cyrillic а) resolves differently from apple.com (Latin a) but appears identical in most browsers. Modern browsers mitigate this with Punycode display for internationalized domains.
Subdomain Spoofing
Subdomain spoofing places the legitimate brand name as a subdomain of an attacker-owned domain: paypal.com.attacker-login.com. The attacker owns attacker-login.com; the leftmost paypal.com portion is a subdomain that the attacker controls. Victims reading left-to-right may see the familiar brand before reaching the attacker’s domain.
How to Verify a Link Before Clicking
4 steps verify whether a link is safe before clicking:
- Hover to inspect the actual URL: On desktop email clients and browsers, hovering over a hyperlink displays the actual destination URL in the status bar. Verify the domain matches the expected organization. The rightmost domain before the first single slash is the actual domain.
- Check the TLD and full domain string:
paypal.com.login.ruis registered underlogin.ru, notpaypal.com. Read from the rightmost domain component backward to identify the actual registrant. - Use a URL reputation checker: Paste the URL into VirusTotal (virustotal.com), Google Safe Browsing Transparency Report, or URLScan.io before clicking. These services check links against known malicious URL databases and sandbox the page.
- Verify via independent channel: If an email claims account activity, navigate to the official site by typing the known URL directly into the browser address bar—do not click the link in the email.
What Are the 4 Technical Email Defenses Against Phishing?
Email authentication protocols prevent domain spoofing and fraudulent sender addresses at the technical level:
- SPF (Sender Policy Framework): A DNS TXT record that lists the IP addresses authorized to send email for a domain. A receiving server checks whether the sending IP is on the SPF list. Emails from unauthorized IPs fail SPF and can be quarantined or rejected.
- DKIM (DomainKeys Identified Mail): Adds a cryptographic signature to each outgoing email, signed with the sender’s private key. The receiving server fetches the public key from DNS and verifies the signature. DKIM confirms the email was not modified in transit and originated from an authorized sender.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): Builds on SPF and DKIM to specify what a receiving server should do when an email fails authentication: none (monitor only), quarantine (move to spam), or reject (block delivery). DMARC adoption prevents spoofing of the exact domain.
- Anti-phishing filters: Email security gateways (Microsoft Defender for Office 365, Proofpoint, Mimecast) analyze email content, links, and attachments using machine learning to detect phishing patterns. Links are rewritten to pass through a real-time scanner when clicked. Attachments are opened in a sandbox before delivery.
Comparison of Phishing Types
| Type | Delivery Channel | Targeting | Primary Goal | Key Defense |
|---|---|---|---|---|
| Email phishing | Mass (untargeted) | Credential theft | SPF, DKIM, DMARC, anti-phishing filter | |
| Spear phishing | Specific individual | Credential theft, malware delivery | Security awareness training | |
| Whaling | Executives | Wire fraud, data theft | Multi-person authorization for transfers | |
| Smishing | SMS | Mass or targeted | Credential theft, malware install | Carrier filters, URL verification |
| Vishing | Voice call | Mass or targeted | Credential disclosure, OTP theft | Call-back verification, no OTP over phone |
| Pharming | DNS/hosts file | All site visitors | Credential theft at scale | DNSSEC, certificate validation, HTTPS |
Key Takeaways
- Phishing accounts for 36% of all data breaches (Verizon DBIR 2023).
- 3.4 billion phishing emails are sent daily (Symantec).
- The 6 phishing types are: email phishing, spear phishing, whaling, smishing, vishing, and pharming.
- Homograph attacks use visually identical Unicode characters to create convincing fake domains that differ at the code-point level.
- SPF, DKIM, and DMARC are the 3 email authentication standards that prevent domain spoofing at the protocol level.
- Always verify a link by hovering, reading the actual domain from right to left, and navigating via direct URL entry rather than clicking email links.
Frequently Asked Questions
What is the most common type of phishing attack?
Email phishing is the most common type, with 3.4 billion phishing emails sent daily (Symantec). It uses mass mailings that impersonate trusted brands to steal credentials or deliver malware via malicious links and attachments.
What is the difference between phishing and spear phishing?
Phishing is untargeted, sent to large numbers of recipients. Spear phishing is targeted at a specific individual or organization using personalized information. Spear phishing has a 19x higher click rate (Proofpoint 2023).
How can you tell if an email is phishing?
Check the actual sender email address (not just display name), hover over links to verify the real URL, look for urgency or threat language, and verify unexpected requests by contacting the sender through a known official channel.
What is pharming and how does it differ from phishing?
Pharming poisons DNS records or the local hosts file to redirect users from a correct URL to a malicious site. Unlike phishing, no deceptive link or email is required—the user types a legitimate URL and is silently redirected.
What are SPF, DKIM, and DMARC?
SPF lists authorized sending IPs for a domain. DKIM adds a cryptographic signature to verify message authenticity. DMARC specifies what to do when SPF or DKIM fails. All 3 work together to prevent email domain spoofing.
Last Thoughts on What Is Phishing
Phishing exploits human trust rather than technical flaws, making it the leading cause of data breaches despite decades of security awareness efforts. The 6 types—email phishing, spear phishing, whaling, smishing, vishing, and pharming—share a common principle: impersonation of a trusted entity.
Technical defenses (SPF, DKIM, DMARC, anti-phishing gateways) reduce attack volume at the infrastructure level. User behavior—URL verification, independent channel confirmation, and resistance to urgency pressure—eliminates the attacks that reach the inbox.
